Reputation: 3444
GWT SafeHTML, XSS & Best Practices
The good people of OWASP emphasize that you MUST use the escape syntax for the part of the HTML document you’re putting untrusted data into (body, attribute, JavaScript, CSS, or URL). See OWASP - XSS. Their API (developed by the ESAPI team) subsequently caters for this having encoders for each context:
ESAPI.encoder().encodeForHTML("input");
ESAPI.encoder().encodeForHTMLAttribute("input");
ESAPI.encoder().encodeForJavaScript("input");
ESAPI.encoder().encodeForCSS("input");
ESAPI.encoder().encodeForURL("input");
Subsequently this allows the developer to cater for DOM-based XSS .
So my question is how does GWT's safehtml package cater for this or does it merely focus on HTML encoding?
Upvotes: 5
Views: 4227
Answers (1)
Reputation: 64541
SafeHtmlTemplates will do it (client-side only though, as it relies on a GWT generator). It'll parse the HTML fragment using a "tag soup" parser, that will infer the context and either log a warning or throw if the argument cannot be used in this context (for instance, it prevents all use of placeholders in script context). This is still in flux though (SafeUri is still in review and SafeStyles is still severely limited) but it'll be there in due time (should be in GWT 2.4 I think).
Otherwise:
SafeHtmlUtils's will escape all of<,>,&,'and"so the result is safe for "HTML" and "HTML attribute" contextsSafeHtmlBuilder's various append methods will just callSafeHtmlUtilsunder the hoodUriUtilsprovides tools to scrub unsafe URIs (you'll still need aSafeHtmlUtilspass or equivalent afterwards if you're building an HTML string –vs. using the value directly for an image's source or anchor's href–).SafeStylesdoesn't provide anything specific in itself, butSafeHtmlTemplateswill only allow it at the beginning of a CSS context, and will log a warning if you try to put anything else in a CSS context.SafeStylesBuilderis expected to be extended with type-safe methods, to help build well-formed CSS.- I've been working on a
SafeUriinterface, similar toSafeStylesbut in a URL context. In due time,SafeHtmlTemplateswill only allow aSafeUrior aStringas the full value of a URL attribute, passing theStringthroughUriUtilsto make sure it's safe.
In brief, I think the answer to your question is: yes, GWT's safehtml package cater for this; but you'll probably have to always use the latest version of GWT (at least for the coming year) to be safe.
Upvotes: 4
Related Questions
- XSS prevention: client or server-side?
- How safely generate HTML pages on GWT?
- Best practice securing GWTP application
- Is there a need for GWT SafeHtml when using UiBinder?
- GWT Safe HTML Framework: When to use, and why?
- GWT HTML Widget XSS security
- GWT security one more time
- Security and GWT - client side
- GWT HTML widget security risks
- GWT interfering with XSS preventative measures